next email library
Hello im working on password recovery by email feature in next js. which mailing lib/service u suggest
23 Replies
nodemailer, it's fairly simple
you could even use React Email with it
Theo made a video about React Email recently
https://www.youtube.com/watch?v=Xa1WaSPu5K8&t=166s
https://react.email/docs/integrations/nodemailer
they give more integrations on their website, you can use the one you'd like
https://react.email/docs/integrations/overview
thanks i'll use react email with nodemailer integration
or should i use resend instead ?
I used nodemailer in my project, works absolute fine for the pass reset purposes, but you could try both and use the one you are more comfortable with
Resend
Build, test, and send transactional emails at scale.
thanks guys
if u dont mind i want to send that verification token through that email how can i generate it and make it match both on server and client sides ?
I used jwt to encode user's id with custom secret phrase that I match on the server
jwt js lib has encode and decode methods for it, very handy
you can also set expiration date in it for auto rejection if too much time passed
const token = jwt.sign({ id: user.id }, process.env.JWT_SECRET!, {
expiresIn: "15m",
});
jwt works for that.
either jwt or storing a secret token in the database.
and you can send the token as a query parameter on the link, like https://your-app.com/forgotPass?token={YOUR_TOKEN_HERE}
then you send the token form the query as part of user's request for the password change, and validate it on the server
what about the
process.env.JWT_SECRET! should imake it with openssl?yeah, that's what I did
thanks budd
what is the lib for jwt ?
'openssl rand -base64 32' - it's the terminal command for a secret
jsonwebtoken
https://www.npmjs.com/package/jsonwebtoken
damn u're a life saver thanks mate
https://jwt.io/libraries - you can choose another
there's one called Jose
but i haven't used it
i think i normally use jose when i do jwt stuffs
this one is by the team behind Auth0
make sure you don't send the client in the recovery page any confirmation that they got the info right or wrong, or any confirmations of success or failure. just do it as 'Successfully sent for reset', so that the attacker can't know if they got any info right
i didn't understand would explain it again ?
yeah, so when a user clicks "forgot password" do you give them the form to type in their email?
when they put email/username, dont send them errors if they typed it incorrectly/you haven't found corresponding email/user in your db
okay why
say it's a hacker, and they want to know if a certain user exists in your app, they can just try their email/username in reset-password form and if it doesn't match - they would know the user isn't registered
they can then try to use already leaked password in your app, as people use same passwords on multiple websites, and the passwords tend to leak
check those links for more info
https://security.stackexchange.com/questions/213975/how-to-properly-create-a-password-reset-token
https://cinquewebdev.medium.com/how-to-implement-forgot-password-functionality-with-jwt-authentication-e1381263026c
https://www.smashingmagazine.com/2017/11/safe-password-resets-with-json-web-tokens/
got it
make sure you generate token on the server so that your secret isn't leaked too
so an api page or route handle
yes ofc ill make it in the /auth/forgetpass/route.ts